NAB takes aim at supply chain attacks

NAB has revealed a large-scale security effort aimed at curbing the risk posed by supply chain attacks as well as by a growing number of internet of things devices connected to its network.

Chief enterprise security officer David Fairman said in a Medium post that the bank is building an “integrated security function” that would make it the first institution in Australia to “bring together cybersecurity, fraud, investigations and physical security.”

“The management of those different security functions has been combined and NAB is now progressing on to merging the security operations centres and processes for those functions,” Fairman said.

“In order to manage all those unified functions, NAB is employing new big data analytics techniques to bring together data from IoT devices, physical security equipment, the bank’s data network and threat intelligence networks.”

The bank has codenamed the initiative ‘security fusion’.

“It’s about bringing all those siloed pieces of data into one big data lake and leveraging artificial intelligence, machine learning and clustering analysis to identify patterns and unknowns,” Fairman said.

Fairman said he was particularly concerned at the possibility of NAB falling victim to an attack where the credentials of a third-party such as a contractor were exploited.

He cited the 2014 breach of US retailer Target as an example. There, it is believed that the attackers stole network credentials from a heating, ventilation and air conditioning (HVAC) contractor.

It was reported at the time that the contractor may have held active network credentials for the retailer in order to provide real-time updates and alerts on temperatures from stores.

“NAB works with a number of third parties and, in some cases, those partners use other companies and contractors,” Fairman said.

“That creates challenges for us as we have to ensure the security of an increasingly complex supply chain.

“We need to engage with vendors that provide services to us because supply chain risk is a big deal.”

The risk of supply chain attacks has been heightened over the past year, though mostly over concerns of third-party hardware or software being compromised.

The destructive NotPetya malware spread through the compromise of hosted software, which gave attackers a path into many large multinational firms such as DLA Piper and Maersk.

Supply chain attacks received renewed attention late last year after reports of server boards being compromised, though the reports have since been largely discredited by the security industry.

Still, it appears companies like NAB are sufficiently concerned at the risks and are looking beyond their immediate networks to provide additional security assurance.

In addition, Fairman said the bank was concerned that physical security systems could be used as an entry point for attacks on the IT network.

“A lot of the cyber risk seen in physical security is IoT based, including alarms, CCTV and sensors,” he said.

“If that gets taken out, it gives us a blind spot.”